Security Architecture and Bootloader (U-Boot) Development for Electric Vehicle Charging Controllers (EVSE)

Software for electric vehicle charging controllers.

Security Architecture and Bootloader (U-Boot) Development for Electric Vehicle Charging Controllers (EVSE)

Project Details

  • Task : Implementation
  • Completion : July 2025

Client

German manufacturer of charging controllers for electric vehicles.

Challenge

Managing and securing firmware for a growing fleet of electric vehicle charging controllers (EVSE). The client had multiple hardware variants, which drastically complicated development, update, and maintenance processes. A key challenge was unifying the bootloader (U-Boot), implementing the latest features and security patches, and implementing a robust Secure Boot mechanism to protect charging infrastructure from cyber-physical attacks.

Solution

During collaboration with the client, I conducted comprehensive modernization and security hardening for U-Boot and low-level firmware on EVSE platforms. My actions covered three main areas:

I unified U-Boot configurations for all hardware variants, drastically simplifying development and maintenance.

I ported new U-Boot versions to EVSE platforms, ensuring access to latest features and critical security patches.

I designed and implemented a complete Secure Boot mechanism, including FIT (U-Boot) image verification and kernel signatures using ECDSA cryptography.

I made critical modifications to Device Tree to enforce security policies specific to EVSE applications.

I conducted hardening of I/O ports to increase device resistance to potential attacks.

I created a Linux kernel driver for non-volatile RTC memory, enabling access from both U-Boot and userspace (for critical logs and timestamps).

I implemented system recovery mechanisms from USB at the U-Boot level, drastically improving device serviceability in the field.

I added rescue mode and NFS filesystem mounting from U-Boot, expanding diagnostic and provisioning options.

Result

This work led to creating a unified, secure, and highly reliable software platform for the client’s entire EVSE product line. Implementation of Secure Boot and advanced recovery mechanisms significantly raised security of critical infrastructure and lowered total cost of ownership (TCO).

Technologies Used:

System: U-Boot, Embedded Linux, Linux Kernel Drivers

Security: Secure Boot, FIT Image Verification, ECDSA, Device Tree, I/O Hardening

Concepts: Porting, Platform Unification, Recovery Mechanisms, NFS Boot, RTC

Domain: EVSE (EV Charging Infrastructure)